Red Team Operations: Adversary Emulation and C2 Frameworks

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

Red teaming is not just a harder pentest. While penetration testing finds vulnerabilities, red teaming tests the entire security program — the people, processes, and technology together. The goal is to answer the question: can the organization detect and respond to a realistic adversary?

Command and Control Frameworks

C2 infrastructure is the backbone of red team operations. Your C2 framework manages implants on compromised systems, routes communications through redirectors, and provides the interface for post-exploitation activities.

Cobalt Strike remains widely used in commercial red teaming. Its Malleable C2 profiles let you customize network traffic to mimic legitimate applications, making detection harder. Beacon supports HTTP, HTTPS, DNS, and SMB communication channels with configurable sleep times and jitter.

Sliver is an open-source alternative that has matured significantly. It supports mutual TLS, HTTP(S), DNS, and WireGuard protocols. Its implant generation is flexible, producing executables, shared libraries, and shellcode across platforms.

Mythic provides a modular framework where agents and C2 profiles are developed independently. This separation means you can mix and match agents (written in various languages) with different transport mechanisms.

Regardless of which framework you use, set up proper redirector infrastructure. Your C2 server should never be directly exposed to the target network. Use cloud-hosted redirectors with domain fronting or legitimate-looking domains backed by proper categorization.

Evasion Techniques

Modern security stacks include EDR, next-gen AV, network monitoring, and email filtering. Getting past all of these requires layered evasion.

For initial access, standard phishing payloads get caught immediately. Techniques that currently work include: ISO/IMG containers with embedded LNK files, OneNote attachments with embedded scripts, and signed application abuse (living-off-the-land binaries). The landscape changes constantly — what works today may be detected next month.

On-host evasion means avoiding EDR detection. Direct syscalls bypass userland API hooking. Unhooking NTDLL restores original function code. Process injection into legitimate processes avoids suspicious process creation. Sleep obfuscation encrypts your implant’s memory during sleep intervals so memory scanners find nothing.

AMSI bypass is required for any PowerShell or .NET-based tooling on modern Windows. Patch the AmsiScanBuffer function before loading offensive tools into managed memory.

Persistence Mechanisms

Persistence ensures you maintain access if the initial implant dies. Layer multiple persistence mechanisms at different privilege levels:

• User-level: Registry Run keys, scheduled tasks, startup folder shortcuts, COM object hijacking
• Admin-level: Services, WMI event subscriptions, DLL search order hijacking in system paths
• Domain-level: Golden tickets, Silver tickets, SID history injection, AdminSDHolder modification

Each persistence mechanism has a different detection profile. Registry Run keys are well-monitored; WMI event subscriptions less so. Choose based on the target’s detection capabilities, which you should be mapping throughout the engagement.

Adversary Emulation

Structured adversary emulation follows documented threat actor TTPs. Use MITRE ATT&CK as your reference framework. Select a threat actor relevant to the client’s industry, map their known techniques, and replicate them.

This approach produces actionable results. Instead of “we got domain admin,” the finding becomes “APT29 Technique T1053.005 (Scheduled Task) was used for persistence and was not detected by your EDR for 72 hours.” The blue team gets specific detection gaps to address, mapped to real threats they actually face.

Next Steps

• Assess your offensive security skills with the skills assessment
• Explore related topics in the skills library
• Use the coaching tool to build a development plan for red team specialization

Related Guides in This Series

• Binary Exploitation: From Buffer Overflows to Modern Techniques — HADESS | 2026
• Low-Level Exploitation: Kernel, Driver, and Firmware Attacks — HADESS | 2026
• OWASP ZAP: Web Application Security Testing — HADESS | 2026

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.